Page -> Home agent Vistas :  Página  Discusión  Ver fuente  Historial 

De DIT-CDC

Revisión a fecha de 08:36 28 feb 2007; Gabi (Discusión | contribuciones)

(dif) ← Revisión anterior | Revisión actual (dif) | Revisión siguiente → (dif)
# $Id: dynhad.conf,v 1.37 2001/07/13 13:41:36 jm Exp $
# Home Agent configuration file
#
# Dynamic hierarchial IP tunnel
# Copyright (C) 1998-2001, Dynamics group
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation. See README and COPYING for
# more details.
#
#######################################################################
#
# NOTE!
#       This is an example configuration file designed to give
#       perspective to the system configuration AND to provide
#       a basis for a working simple test environment.
#       The values of some of the parameters may not be the
#       same as the daemon's defaults, so don't get confused.
#
#
#######################################################################
#

# Interfaces to be used for Mobile IP services
# interface: name of the interface, e.g. eth0
# ha_disc:
#    0 = do not allow dynamic HA discovery
#    1 = allow dynamic HA discovery with broadcast messages
# agentadv:
#    0 = do not send agent advertisements without agent solicitation
#    1 = send agent advertisements regularly
# interval: number of seconds to wait between two agentadvs
#           (if allowed for this interface)
# force_IP_addr: local address to be forced for this interface
#                (can be used to select one of the multiple virtual
#                addresses); if not entered, the primary address of the
#                interface is used
INTERFACES_BEGIN
# interface  ha_disc  agentadv  interval  force_IP_addr
eth0         1        1         1
INTERFACES_END

# Network Access Identifier (NAI) of this HA
# Unique identifier for this HA. A macro [interface] can be used to get
# the hardware address of an interface in dot-separated format.
# This is needed, if private address space is used in the home network.
# NetworkAccessIdentifier "[eth0]@example.com"
NetworkAccessIdentifier "cancun_ha"

# Surrogate HA IP Address
# This is only needed, if private address space and a surrogate HA are used in
# the home network.
# SHAIPAddress 10.10.10.10

# Private HA Identifier at SHA
# Unique identifier (32-bit number) at SHA for this private HA.
# This is only needed, if private address space and a surrogate HA are used in
# the home network.
# PrivateHAIdentifier 1

# UDP port to listen for registration requests
# The default is 434. Don't modify this field for compatibility with other RFC 2002 compliant implementations.
UDPPort 434

# Socket priority for signaling sockets (UDP) can be set with SO_PRIORITY to
# allow easier QoS configuration. If this argument is set, the given value is
# used as a priority for the signaling socket. E.g. CBQ class can be used to
# make sure that signaling is not disturbed by other traffic on a congested
# link.
# This feature is still undocumented and can be left commented.
#
# SocketPriority 1

# MaxBindings can be used to restrict the maximum number of Mobile Nodes
# that are concurrently attached to this Home Agent.
# The default is 20.
MaxBindings 20

# The default tunnel lifetime is suggested also by the HA.
# The default lifetime is 500.
HADefaultTunnelLifetime 600

# The Registration error reply interval should be restricted to
# avoid system overloading situations when receiving too much
# incorrect Registration Reply messages.
# The default value for RegErrorReplyInterval is 1 second.
RegErrorReplyInterval 1

# Triangle tunnel means that the packages to MNs are send via the HA, but
# packages from MN are routed directly (i.e. FA use normal IP routing).
# EnableTriangleTunneling < TRUE | FALSE >
EnableTriangleTunneling TRUE

# Reverse tunnel means bi-directional tunneling in which both the packages
# from and to MN are send via HA
# EnableReverseTunneling < TRUE | FALSE >
EnableReverseTunneling TRUE

########################################################################
# The Home Agent needs to know what kind of security parameters each
# authorized Mobile Node uses. that is why there is a tbale that maps
# (in many-to-many relationship) SPI numbers, or SPI-number ranges to
# IP adresses - or IP-address ranges defined by network adresses and
# netmasks. The netmask may be defined in two ways: either in
# "bit offset notation" (the third row in the example) or in the
# "dotted decimal notation" (the fifth row in the example below).
# The list of Mobile Node information is separated between two
# keywords: AUTHORIZEDLIST_BEGIN and AUTHORIZEDLIST_END.
#
# < SPI | SPI-range       IP | network/netmask  >
# Example:

AUTHORIZEDLIST_BEGIN
# SPI           IP
#1000            192.168.240.2
#1001            192.168.240.3
#1002            0.0.0.0/0
#11000-11999     192.168.241.4
#12000           192.168.250.0/255.255.255.0
#13000-14000     192.168.251.0/28
998             193.146.185.44
999             193.146.185.43
AUTHORIZEDLIST_END

# The Home Agents needs a security association for each authorized Mobile
# Node. The association includes following information.
#
# SPI (Security Parameter Index): a key for the other fields.
#
# Authentication Algorithm:
#    1: MD5/prefix+suffix (a.k.a. keyed-MD5) [RFC 2002]
#    4: HMAC-MD5 [RFC 2104]
#    5: SHA-1 [FIPS 180-1]
#    6: HMAC-SHA1 [RFC 2104]
# Note! MD5/prefix+suffix has known weaknesses and use of HMAC-MD5 is
# recommented. MD5/prefix+suffix algorithm is for backwards compatability with
# older versions that do not support more secure HMAC-MD5.
#
# Replay Protection Method:
#    0: none
#    1: timestamps
#    2: nonces
#
# Timestamp tolerance indicates how many seconds the MN's timestamp can differ
# from the HA's clock. 7 seconds is the recommended default value. This
# tolerance is checked only when timestamps are used for replay protection.
#
# The maximum lifetime for the binding is given in seconds.
# Special case: 65535 (or more) seconds means unlimited time (the binding will
# not expire)
#
# Shared Secret: a secret data known by MN and HA. It can be given as
# a HEX code string, i.e. two characters (0-F) correspond to one octet.
# The shared secret can also be given as a character string (e.g.
# "ABCDE" corresponds to 4142434445).
# Note: RFC 2002 specifies that the default key size is 128 bits (i.e.
# 16 bytes or 32 hex 'characters'). Dynamics supports also other key lengths.
#
# The SPI is the key identificator for the rest of the security parameters
# on the same line. SPI number ranges may be assigned the same security
# parameters.
#
# The list of Mobile Node information is separated between two
# keywords: SECURITY_BEGIN and SECURITY_END.
#
SECURITY_BEGIN
#       auth.   replay  timestamp       max             shared
# SPI   alg.    meth.   tolerance       lifetime        secret
998     4       0       120             600             "clav16caracteres"
999     4       0       120             600             "clav16caracteres"
1000    4       1       120             600             "test"
#1002    4       2       60              120             01020304050607
#10000   4       1       60              300             016A352B2F235E
#10001   4       1       120             180             0EF42BD234ECCAA2
SECURITY_END
#
########################################################################
# Home Agent may have optional security associations with Foreign
# Agents. If the security association exists the session key can be
# encrypted with the help of shared secret and thus man-in-the-middle
# style attacks can be prevented. If no security association is set
# for a certain Foreign Agent - Home Agent pair, public key encryption
# (RSA) is used.
#
# When private address space is used, this list must have a security
# association with the surrogate HA instead of the FAs. Possible security
# associations with the FAs are then configured to the SHA.
#
# The following list contains the shared secrets indexed by SPI (and
# Foreign Agent IP address). The algorithm field specifies the method
# used for authentication and key distribution:
#    1: MD5/prefix+suffix (a.k.a. keyed-MD5) [RFC 2002]
#    4: HMAC-MD5 [RFC 2104]
#    5: SHA-1 [FIPS 180-1]
#    6: HMAC-SHA1 [RFC 2104]
# The format of the share secret field is identical to the one used with the
# MN-HA security association list above.
#
FA_SECURITY_BEGIN
# SPI           FA IP           Alg.    Shared Secret
#2001           192.168.0.1     4       0123456789ABCDEF
#2002           192.168.0.2     4       "eslkfj89jr3hduh3R!as"
FA_SECURITY_END
#
# The Highest FA public key can be protected from man-in-the-middle style
# attacks between the HFA and the HA with hash code. The use of this hash
# is optional, but recommented. The HA can have different ways of checking
# the hash code.
# Methods:
#    0: skip the hash code completely (not recommented)
#    1: if the hash code is received, check the public key with it
#    2: require the correct hash code for every registration message
#       with a public key (this may prevent the use of some organizations
#       which do not advertise the hash code)
PublicKeyHashMethod 0
#PublicKeyHashMethod 1
#
########################################################################

# The log messages are written through syslog service. The facility to be
# used defaults to LOG_LOCAL0, but it can be set with this parameter
# to any of the possible facilities (LOG_AUTHPRIV, LOG_DAEMON, and so on).
# The processing of log messages is defined in /etc/syslog.conf file.
SyslogFacility LOG_DAEMON

# Home Agents (and Foreign Agents) use unix domain sockets
# to communicate through their API interfaces.
# The group and owner must be names as strings, no groupIDs or userIDs are
# allowed. The file permissions are set in octal values like in chmod(1).
# The configuration parameters of the two API sockets are as follows:
HAAPIReadSocketPath "/var/run/dynamics_ha_read"
HAAPIReadSocketGroup "root"
HAAPIReadSocketOwner "root"
HAAPIReadSocketPermissions 0766
#
HAAPIAdminSocketPath "/var/run/dynamics_ha_admin"
HAAPIAdminSocketGroup "root"
HAAPIAdminSocketOwner "root"
HAAPIAdminSocketPermissions 0700
#
# Every configuration file must end to the keyword 'END'.
END

Volver




Navegación
Enlaces externos
Herramientas personales